从/ var / log / messages中过滤文本并在logstash中转发

时间:2014-07-28 12:07:59

标签: logstash

我正在使用logstash并且无法弄清楚如何过滤。我想从/ var / log / messages中过滤以下日志,并仅转发包含[INFO]的行。

mingus  sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus  sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus  sshd[2268]: Illegal user test from 219.117.251.250
mingus  sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2

我想知道是否有可能。

1 个答案:

答案 0 :(得分:0)

是的,这是可能的!使用grok过滤器提取所需信息。您可以使用它来获取包含“sshd [(此处为某些字符串)]”内部的字段。例如:

filter {
    grok {
        match => ["message", "mingus  sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
    }
}

完成后,您可以在输出上使用条件,以便只传递包含INFO的行。例如:

output {
    if [messagetype] == "INFO" {
        stdout {
            codec => "rubydebug"
        }
    }
}

我希望这有帮助!

编辑: 这是我的conf文件:

input {
    stdin {}
}
filter {
    grok {
        match => ["message", "mingus  sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
    }
}
output {
    if [messagetype] == "INFO" {
        stdout {
            codec => "rubydebug"
        }
    }
}

使用stdin和stdout的选择很容易使调试变得容易。使用提供的日志行片段,我输入了这个输入:

mingus  sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741   ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus  sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus  sshd[2268]: Illegal user test from 219.117.251.250
mingus  sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2

并收到以下输出:

{
        "message" => "mingus  sshd[INFO]: Failed password for illegal user user from         219.117.251.250 port 44741 ssh2",
       "@version" => "1",
     "@timestamp" => "2014-07-31T13:59:34.376Z",
           "host" => "cmssrv221.fnal.gov",
    "messagetype" => "INFO"
}
{
        "message" => "mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2",
       "@version" => "1",
     "@timestamp" => "2014-07-31T13:59:34.378Z",
           "host" => "cmssrv221.fnal.gov",
    "messagetype" => "INFO"
}
{
        "message" => "mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2",
       "@version" => "1",
     "@timestamp" => "2014-07-31T13:59:34.387Z",
           "host" => "cmssrv221.fnal.gov",
    "messagetype" => "INFO"
}

根据您提供给我的信息,这似乎是您想要的。如果这不是您想要的,那么您必须更加具体。

顺便说一下,我正在使用logstash 1.4.1,以防您使用的版本大不相同。

相关问题
最新问题